Slashdot Mirror


Analysis of the Witty Worm

DavidMoore writes "The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an analysis of the recent Witty worm. Among other things, Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous Internet worm."

5 of 415 comments (clear)

  1. Holy CRAP by Saint+Aardvark · · Score: 5, Insightful
    Jesus Christ, if you read that and weren't frightened, you're dead inside.

    The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour. The worm came out one day after eEye announced the vulnerability. It just went ahead and started erasing the hard drive, rather than just grep for passwords or credit card numbers. And this thing targeted and 0wned people who cared about the security of their computer!

    If you've read nothing else, check out the conclusion:

    It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.

    The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

    I was thinking the other day about all the precautions you need to go through with a Windows box just to get a new install up-to-date; I was smug, and thinking that a Windows box without a firewall was like a person without a skin: no protection from infection, no way of stopping the most basic of attacks.

    And now reading this I feel that smugness just draining in a really hideous way. I use Linux and FreeBSD...what of it? I realize there is still a big difference between Unix and Microsoft, between a local and a remote exploit, between an ordinary user account and root. But I'm no longer convinced those differences are enough: there's a thousand programs available on my machines, and all that stands between me and 0wnership is a programming error and someone who decides that, you know what, seven thousand hosts is worth it.

    Nothing more to say at this point...I'm still staring uneasily at the blinking cable modem lights, wondering when it'll be my turn.

  2. not the best solution, maybe rethink the stack? by crimethinker · · Score: 5, Insightful
    This leads to the conclusion that firewall/AV software should be included as part of the baseline system

    That's a very good suggestion, except that in this case, the firewall software was the vulnerable component. No BlackICE, no Witty worm.

    I'm deeply troubled by this; we piss and moan about how the average windoze luser doesn't have a firewall or AV software, and then this pops up.

    Much as I would like to, I can't blame this on Microsoft. It's just sloppy programming, the sort of practice that M$ has made prevalent. There, I blamed M$ after all. Still, changing the permission model of Windoze wouldn't have helped this; BlackICE is exactly the sort of software that needs access to the network protocol stacks; it's supposed to be one of the trusted portion of the system, as compared to all those VBScript viruses that run as admin/root, but shouldn't.

    If I were designing a new CPU, I would think about including some hard-core stack protection. A no-execute bit in the MMU is a very good start, but still not bullet-proof. I'm thinking something (with OS assistance) to disallow all access beyond the link pointer for the current function call. Every CALL sets a new boundary, and every RET pops back to the last boundary. Try to write past the boundary, and you get a machine exception. Much finer granularity than 4K pages that most 32-bit MMU's provide.

    -paul

    --
    Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
  3. The cost of C/C++ and no bounds checking by wintermute42 · · Score: 5, Insightful

    I'm a long time UNIX/Linux hacker (I first programmed on UNIX on a VAX). I've written a lot of C/C++ code. But long ago I used Pascal and more recently I've been using Java more.

    Both Pascal and Java do range checking. That is, they check the bounds of arrays (buffers) when they are accessed. This means that about half of the security exploits (including the one, targeted at BlackIce etc...) would not be exist if our software base was implemented in languages with bounds checking.

    The original reason that bounds checking was not implemented in C was that the early compilers were very basic (little in the way of optimization) and bounds checking overhead slows execution. Bounds checking overhead can be reduced through optimization, but Ritchie's original C compiler only did simple optimization.

    Another problem is that in C pointers and arrays are more or less interchangable. So bounds checking becomes difficult or impossible in all cases (C provides way too much pointer flexibility when it comes to enforcing bounds checking).

    If we were to add up the cost of all of the buffer overflow security attacks it must run in the billions. So the "power" of the C programming model has extracted a pretty high price. This puts an interesting retrospective slant on Brian Kernighan's 1981 article Why Pascal is Not My Favorite Programming Language .

    I have to confess that I would not go back to using Pascal. But native compiled Java, with Java's bounds checks, would be far safer than C++. And it would result in software that is more robust against security attacks.

    Yes we can all learn to use fgets, strncpy and other safer library routines. But this only makes our code safer. It does not provide the complete protection against buffer overflow attacks. So perhaps it is time to reconsider the programming languages we are using. Perhaps unrestricted pointers and no bounds checking has become too costly.

  4. New tactical doctrine for attacks by Animats · · Score: 5, Insightful
    Virus writers are now developing a tactical doctrine. This suggests that future viruses will be more effective, not for technical reasons, but because the attacks will be organized more like military attacks. We now see virus writers getting inside the OODA cycle of the defenders. This is consistent with modern military tactical doctrine. Read MCDP-1, Warfighting. This short Marine Corps publication tells you how to think about war and how to win it. This revolutionized USMC doctrine, which previously focused on heroically advancing no matter what the opposition.

    A key point of modern tactical doctrine is to act faster than the opposition can react. Special operations types talk about the "period of vulnerability", which begins when the defender notices an attack and ends when the attacker achieves relative superiority. Most attacks fail during the period of vulnerability. So modern tactical doctrine says that it's worth huge amounts of effort and money to cut that time down. This is why special ops people rehearse and train to a level that seems unreasonable. It's not to make them good, athough it does. It's to make them fast, so they get through those first seconds and minutes at the beginning of an attack before the defenders can react.

    That's exactly what we saw with this worm. The attack was launched in a way that rendered the usual strategies of anti-virus companies ineffective. Anti-virus companies, (and Microsoft), have known response and patching cycle times. The creators of this worm got inside that cycle time, by building both a fast-propagating worm and by starting it from multiple points.

    Military doctrine gives us some insights on what to expect next. This worm invoved a campaign, a series of battles fought to achieve a goal. One attack acquired machines to be used as bases in a later attack. That's standard doctrine. Other relevant military concepts include mutual support, feints, and diversions. We are starting to see worms and viruses that support each other, so that if one is removed, another attack lets it back in. We may see feints and diversions, where a big noisy attack is launched to divert attention from something more subtle.

    Another doctrinal concept is that of combined arms. So far, virus writers generally haven't utilized other hacking techniques, like dumpster diving, social engineering, or wiretapping. That may change.

    We may well see an attack that wipes out most of the Internet-connected Windows machines in the world in a single day.

  5. Re:Why are you blaming ZoneAlarm? by Ralph+JH+Nader · · Score: 5, Insightful

    It was an honest mistake. I was thinking of BlackIce and put the wrong firewalling program. Blame my lack of sleep for the error. The rest of the argument remains true, however. Whether a security hole was discovered in Zonealarm, Blackice, or in any other Windows program, unless the bug was caused by a problem with Windows itself, it is not in itself a Windows worm.

    Another poster in the thread cited that worms affecting Outlook are Windows worms and Outlook is software that runs on Windows. The difference is that Outlook is bundled with IE, and is integrated into Windows and it is very difficult to seperate it. Surely I don't need to educate Slashbots on this. Since it is so tightly wrapped with Windows, and Microsoft claims it's an integral part of Windows (they told the DOJ that), then it's part of Windows. If the problem involves Windows, a component of Windows (such as a DLL shipped with it), or a program integrated into Windows or installed with Windows, then it's a Windows vulnerability. When BlackIce is installed with Windows by the Windows installer, then a BlackIce vulnerability would be considered a Windows vulnerability.

    In terms of Linux, a particular distro would be said to have a vulnerability if it involves the actual operating system or a package that the distro releases along with the OS. If I go install some buggy unsupported software on my Linux box, and then there's a worm for it, should that worm be considered an exploit of that distro since I was running that distro and was infected by the worm? That's absurd.